446 Australian breach notifications with 30% of system faults found after a year

976 data breach notifications were made to the OAIC in the 2020-21 financial year, with health keeping its crown as the most breached sector. In the second half of the year, 30% of entities reported an incident due to a system fault they found 12 months later.
Written by Asha Barbaschow, Contributor

The health services industry has continued to be the sector responsible for the highest number of reported data breaches in Australia, accounting for 85 of the 446 total breaches notified to the Office of the Australian Information Commissioner (OAIC) in the six months to 30 June 2021.

The 446 total is down 16% when compared to the previous six month's figure of 530 notifications. For the 2020-21 financial year, 976 notifications were received under the Notifiable Data Breaches (NDB) scheme.

March saw the highest number of notifications with 102.

In the reporting period, 81% of breaches were identified by the entity within 30 days of it occurring, but in 4% of occasions, it took the entity longer than 365 days.

"For data breaches caused by malicious or criminal attack or human error, more than 80% of entities identified the incident within 30 days of it occurring," the OAIC wrote. "Where entities experienced a data breach resulting from a system fault, only 61% identified the incident within 30 days, and 30% did not become aware of the incident for over a year."

In the reporting period, 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach. 27 entities took longer than 120 days from when they became aware of an incident to notify the OAIC.  

71% of Australian government agencies reporting an incident found it within 30 days. 9%, however, took over a year to find. 3% took over a year to notify the OAIC.

Since the mandate, health has been the most affected sector. Coming in second to health this half was the finance sector, which accounted for 57 notifications, followed by legal and accounting with 35, and the Australian government and insurance sectors each with 34.

The Australian government entered the top five sectors in the first half of FY21.

All agencies and organisations in Australia that are covered by the Privacy Act 1988 are required to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach. The Privacy Act covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.

In its latest six-month report [PDF] capturing notifications made under the NDB scheme, the OAIC said most data breaches involved the personal information of 5,000 individuals or fewer.

Three notifications affected over 1 million individuals, with one affecting over 10 million individuals.

Contact information, identity information, and financial details continue to be the most common types of personal information involved in data breaches. 407 -- or 91% -- of breaches notified under the scheme involved contact information, such as an individual's name, home address, phone number, or email address.

247 instances saw the breach of identity information, 193 exposed financial information, 136 health information, tax file numbers were exposed in 102 breaches, and other sensitive information was compromised in 75 of the occasions.

Malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 289 breaches. 192 breaches were caused by "cyber incidents", 35 of them resulted from social engineering or impersonation, on 28 occasions the actions taken by a rogue employee or insider threat was the cause, and theft of paperwork or storage devices was responsible for 34 notifications.

The report says human error also remained a major source of breaches, accounting for 134 notifications, while system faults accounted for the remaining 23 breaches.

Human error breaches include sending personal information to the wrong recipient via email, unintended release or publication of personal information, and failure to use the blind carbon copy function when sending group emails.

Unauthorised disclosure/unintended release or publication occurred in 31 notifications. This alone affected 523,998 individuals.

The Australian government did not report any incidents pertaining to system faults, but reported 25 as human error, and nine as a malicious or criminal attack. The Australian government also reported one incident as "hacking".

The top sources of cyber incidents during the reporting period were phishing, compromised or stolen credentials, and ransomware.

"More than half of cyber incidents (62%) during the reporting period involved malicious actors gaining access to accounts using compromised or stolen credentials," OAIC said. "The most common method used by malicious actors to obtain compromised credentials was email-based phishing (58 notifications)."

Ransomware incidents increased by 24% in the second half of the year, up from 37 in the first half to 46.


Data breach notifications under the NDB scheme since inception

Image: OAIC

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia


Editorial standards